Routeorbased VPN site, VPN Every time new network subnet is added in a

domain should be updated. Configuration update should be done not only on local gateway, but also in remote gateways. Route based VPN solves above problems.

In route based VPN, a point-to-point L3 interface is created and all traffic sent to this interface are tunneled to the remote gateway. For a given pair of gateways, only one tunnel is created. Once this is done, administrator only needs to add routes to remote networks via tunnel interfaces. If dynamic routing protocols are used, admin need not even create routes explicitly.

Route based VPN

With a Route based VPN, an NGX gateway can decide to encrypt and decrypt a packet using a VPN tunnel interface which is an OS level virtual interface that provides a door to a VPN tunnel. When properly configured, the packet will then go through a route based VPN via appropriate VTIs Route based VPN is only supported on secure platform and IPSO 3.9 (or higher) To implement route based VPN you need to configure VTI (Virtual Tunnel Interface)

Virtual Tunnel Interface

VTI is a OS level virtual interface that can be used as a security gateway to the VPN domain of the peer gateway Each VTI is associated with a single tunnel to a VPN-1 peer gateway Peer gateway should also be configured with a corresponding VTI The native IP routing mechanism can direct traffic into the tunnel just as it would for any other type of interface All traffic specific to a network will be routed through an associated VTI

VPN routing process for VTI

An IP address with destination address X is matched against the routing table Routing table indicates that IP address X should be routed through a pointto-point link, which is the VTI associated with gateway Y

VPN-1 kernel intercepts the packet as it enters the VTI

The packet is encrypted using IPSec SA parameters with peer gateway Y as defined in the VPN community Based on the new destination IP the packet is rerouted by VPN-1 into the physical interface, again, according to the appropriate routing table entry for Ys address

10

VPN Tunnel Interface

VPN Routing Process

Numbered VTI
Supported only on SPLAT If the VPN Tunnel Interface is numbered, the interface is assigned a local IP Address and a remote IP Address. The local IP Address will be the source IP for the connections originating from the Gateway and going through the VTI. VTIs may share an IP Address but cannot use an already existing physical interface IP address

Numbered VTI (contd)

VTIs can be manually configured using vpn shell Syntax for creating VTIs
Expert# vpn shell interface add numbered <local VTI IP> <Remote VTI IP> <peer gateway object name> <VTI_name>

Syntax for viewing VTIs

Vpn shell show interface summary all

For route based VTIs after VTIs are created, it is necessary to add static routes, pointing to the VTI as the interface to access a peers internal network

Unnumbered VTI
Supported only on IPSO 3.9 or higher If the VTI is unnumbered, local and remote IP addresses are not configured.

Unnumbered VTIs must be assigned a proxy interface. The proxy interface is used as the source IP for outbound traffic.

10

Domain-Based Vs Route based VPN

It is important to note that a route-based VPN does not replace a domain-based VPN, but expands it. Domainbased VPN takes precedence over route-based VPN Dynamic routing protocol information can propagate over the VPN. VPN device can be automatically updated with network changes on any VPN peer gateway In case of one tunnel failure, other tunnels may be used to route the traffic